In a recent development, a threat actor has been detected creating fake Skype, Google Meet, and Zoom meetings as a means to distribute commodity malware that can potentially steal sensitive data from Android and Windows users. This campaign, which first emerged in December, has raised concerns among cybersecurity experts for its potential threat to corporate users.

Researchers from Zcaler’s ThreatLabz uncovered this emerging cybersecurity threat on March 6, highlighting how the attackers are utilizing shared Web hosting to host fraudulent online meeting sites on a single IP address. By using URLs that closely resemble the legitimate websites of the targeted services, such as “join-skype[.]info” for Skype, “online-cloudmeeting[.]pro” for Google Meet, and “us06webzoomus[.]pro” for Zoom, the threat actors aim to deceive unsuspecting users into clicking on malicious links.

The threat actors behind this scheme are employing various tactics to deliver harmful payloads to target both Android and Windows users. Android users are at risk of falling victim to the SpyNote RAT, while Windows users may be targeted with NjRAT and DCRat, which are capable of compromising their systems and stealing confidential information.

According to the researchers Himanshu Sharma, Arkaprva Tripathl, and Meghraj Nandanwar from ThreatLabz, these lures are being used to propagate Remote Access Trojans (RATs) that can log keystrokes, steal files, and extract sensitive data from compromised devices.

The attackers initiated their deceptive tactics in December by impersonating Skype and Google Meet users, gradually expanding their scope to include Zoom impersonation in January. Each campaign comes with its unique lure and attack vector, with the Skype campaign directing Windows users to download a malicious executable file disguised as a legitimate Skype application. Similarly, the fake Google Meet site offers links to download what appears to be Skype applications for Android (SpyNote RAT) and Windows (DCRat payload).

The fake Zoom site employs an additional trick to trick users by presenting a link with a subpath that closely mirrors a legitimate Zoom meeting ID, further enhancing the deception. Furthermore, both the fake Google Meet and Zoom websites feature an open directory containing two additional Windows executable files (driver.exe and meet.exe) that hide the NjRAT payload, hinting at potential future campaigns utilizing these files.

To protect themselves against evolving cyber threats like this one, enterprises are urged to implement security measures to guard against advanced malware attacks. Regular updates and security patches are crucial in reducing vulnerabilities exploited by attackers, minimizing the risk of compromise. Additionally, the researchers shared a list of specific MITRE ATT&CK techniques identified during their sandbox analysis process to aid in the detection and mitigation of similar threats.

In conclusion, the emergence of fake online meetings as a vehicle for malware distribution underscores the importance of vigilance and proactive cybersecurity measures to safeguard business users against evolving cyber threats. By staying informed and implementing robust security protocols, organizations can mitigate the risks posed by such malicious campaigns and protect their valuable data from unauthorized access and exploitation.

Source link